03-03-2022 05:33 AM
Hi Cisco
I would like escalate to Cisco Technician. After few days of try to get things working with FDM to get Identity NAT Working. I have the a problem as my there seem to be handover problem on one of the legs for FTD. I have enclosed the configuration and ping results
Solved! Go to Solution.
03-03-2022 06:19 AM
This is the (free) Cisco community, not the (paid) Cisco TAC. Members here help out of goodwill.
Your NAT rules should use (inside,outside). Also, when you run packet-tracer, make the input inside and use the real IP address of the server you want to test. (not the public NAT address). Finally, your incoming access-list entries allow ip any incoming to your servers. This is generally a very bad idea as it essentially exposes the server to the Internet on all ports.
03-05-2022 07:58 PM
So you want something like this example?
That's on ASA but the concept is the same. You might also take a look at this free Labminutes video for a demonstration on how to setup static NAT using FDM:
http://www.labminutes.com/sec0232_ftd_61_firepower_device_manager_configuration_1
03-03-2022 06:19 AM
This is the (free) Cisco community, not the (paid) Cisco TAC. Members here help out of goodwill.
Your NAT rules should use (inside,outside). Also, when you run packet-tracer, make the input inside and use the real IP address of the server you want to test. (not the public NAT address). Finally, your incoming access-list entries allow ip any incoming to your servers. This is generally a very bad idea as it essentially exposes the server to the Internet on all ports.
03-03-2022 09:04 AM
@Marvin Rhoads the idea is for impliment NAT 0 or identity NAT. where there is no NAT at all for the public address... But I m not getting that all .
03-04-2022 07:14 AM
Can you explain in more detail what you are trying to do? NAT 0 is typically used when the host(s) need to traverse a VPN and not be NATted (NAT exemption).
03-04-2022 08:23 AM
@Marvin Rhoads I want to protect my mail and other servers with public addresses , But I don't want to change the IP Address on the servers. So I m using FDM to deploy not FMC.
03-05-2022 07:58 PM
So you want something like this example?
That's on ASA but the concept is the same. You might also take a look at this free Labminutes video for a demonstration on how to setup static NAT using FDM:
http://www.labminutes.com/sec0232_ftd_61_firepower_device_manager_configuration_1
03-09-2022 07:40 AM
Thanks i got it
Thanks I got it ... I I think interpreted wrong.
03-03-2022 06:35 AM
Adding to Marvins answer: Your Firepower uses completely outdated software. You really should update to a recent version. But this is not related to your problem.
03-03-2022 07:04 AM
contact same TAC case it was before and re-open to help you with cisco technician.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide